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[57] ABSTRACT 

A system and method for detecting trigger events in datas- 
treams received over a computer communication network is 
disclosed. The system includes an interceptor for intercept- 
ing datastreams from a computer network intended for an 
application program; a scanner for scanning the intercepted 
datastream for trigger events, such as cookie data, script 
commands, and applet programs; and an event response 
generator for processing detected trigger events. Configu- 
ration data is used to identify a response for trigger events 
such as disabling script commands or programs and deleting 
or modifying cookie data. The event indicators and an action 
menu are generated by the event response generator and 
delivered with the processed datastream to the application 
program. The application program displays the event indi- 
cators so the user is made aware of the trigger events and the 
action menu allows a user to respond to the detected trigger 
events. In the preferred implementation, the user may 
respond by obtaining information about the site which 
transmitted the datastream having the trigger events and then 
send e-mail to the administrator of the site. Other actions 
include modifying the configuration data so subsequent 
datastreams with the trigger event is passed by the system. 
Outbound messages from the application program are also 
intercepted and scanned for trigger events. In the preferred 
implementation, the configuration data are exchanged 
between the system and the application program so the user 
may modify the operation of the system. The configuration 
data are deleted from the outbound datastream before it is 
transmitted in the preferred implementation. The system and 
method of the present invention allow a user to view 
detected trigger events which otherwise would occur with- 
out the user's knowledge and provides the user with suffi- 
cient information so the user can make an informed decision 
as to whether to accept trigger events in a datastream from 
another site. 

40 Claims, 6 Drawing Sheets 



APPLICATION 



EV6KT 
RESPONSE 
GEHEJWTOR 



a 

S-Tt 



04/11/2003, EAST Version: 1.03.0002 



6,085,224 

Page 2 



OTHER PUBLICATIONS 

"CyberMedia Announces Beta Availiablity of PC Guard 
Dog Internet Security and Privacy Software"; http://www- 
.cybermedia.com/pr/dog.html; CyberMedia Ships Unin- 
staller 4.5 Jun. 1997. 

"Kookaburra Software"; http://www.kburra.com; Kook- 
aburra Software Apr. 1997. 

"ZDNet's CookieMaster"; http//www6. zdnet.com/cgi-bin/ 
texis/swlib/hotflles/info.html?fcode-OOOCKP; ZDNet Soft- 
ware Library May 1997. 

"Cookie Crusher"; http://www.download.com/PC/Result/ 
TitleDetaiU0,4 ) O-25023,00.html Mar. 19,1987. 

"PGPcookie. cutter for Windows NT 4.0"; http://pgp.com/ 
products/PGPcookie.cgi Jun. 1997. 



"CyberMedia Announces Beta Availiablity of PC Guard 
Dog Internet Security and Privacy Software"; http://www- 
.cybermedia.com/pr/dog.html; CyberMedia Ships Unin- 
staller 4.5 Jun. 1997. 

"NSClean Privacy Software"; http://www.wizvax.net/ 
kevinmca/nscnt401 .html, Jul. 1997. 
"Cookie Software"; http://www.cookiecentral.com/ 
files.htm, Apr. 1997. 

"PC Secure Personal Firewall'*; bttp://www.softwarebuild- 
ers.com/SBI_Mall/PC_Secure.html, Jul. 1997. 
"Finjan partners: Finjan Distributors & Resellers World- 
wide"; http://www.finjan.com/web.html, Jul. 1997. 
"C is for Cookie"; Bott, Ed; WWW.PCCOMPUT- 
ING.COM; pp,326-327; Jul. 1997. 
NSClean32 4.06 Information "Why is there an NSClean 
program?" Jul. 1997. 



04/11/2003, EAST Version: 1.03.0002 



U.S. Patent 



Jul. 4, 2000 



Sheet 1 of 6 



6,085,224 



APPLICATION 



1(K 



EVENT 
RESPONSE 
GENERATOR 



CONFIGURATION 
FILE 



-38 



SCANNER 




-32 



INTERCEPTOR 



-30 



12- 



TRANSPORT 



NETWORK 



DATA LINK 



PHYSICAL 



18 
-20 
-22 



J-26 



FIG. 1 



04/11/2003, EAST Version: 1.03.0002 



U.S. Patent 



Jul. 4, 2000 



Sheet 2 of 6 



6,085,224 



FROM SERVER 



HEADER 

| cookie] 



HTML 



PROCESSED INBOUND 



STEP 
A 



DATASTREAM 



HEADER 

.'"cookie] 

! IV: ! 



HTML 



EVENT AND 
ACTION HTML 
<FORMS> 



ACTION 
SCRIPTS 



STEP 
B 



STEP 
C 



BROWSER 
DISPLAY 

EVENT 
INDICATOR 



COOKIE 

□ ACCEPT COOKIES 

□ ACCEPT SCRIPT 

□ ACCEPT APPLETS^ ACTION 

□ RESET PAGE MENU 



STEP 
D 



FIG. 2 



STEP 
E 



HEADER 



HTML 
GET OR 
POST 
REQUEST 



DELETE 
COOKIE: IV 



04/11/2003, EAST Version: 1.03.0002 



U.S. Patent jui. 4, 2000 sheet 3 of 6 6,085,224 



<INPUT TYPE.'checkbox" name- - b1 " > 

Allow the Web Page to temporarily store data while it is displayed in your browser's 
window<br> 

<INPUT TYPE.-checkbox" name-T^* > 

Allow the Web Page to store data on your disk drive and leave it there<br> 

<INPUT TYP6»-checkbox" name-"b3" > 

Allow the Web Page to send the data it stored on your computer back to the Web Sfte<br> 

<INfiUT TYPE-"checkbox" name-"b4- > 

Allow the Web Page to request data from other Web Sites to be displayed in your 
browser's window<br> 

<INPUT TYPE-'checkbox* name^S" > 

Allow the Web Page to request data from other Web Sites that may be stored on your 
computer<br> 

<INPUT TYPE«"checkbox" name-*b6* > 

Allow the Web Page to run programs in your browser's display window<br> 

<INPUT TYPE-'checkbox" name-"br > 

Allow the Web Page to run programs on your computer<p> 

<INPUT TYPE»-checkbox w name--b8- > 

Restrict sending browser and user email information to the Web Sfte<bt> 

<INPUTTYPE-"checkbox-name--b9* > 

Do not receive continuous advertisements or page updates from the Web Site<br> 

<INPUTTYPE-'checkbox" name--b1<T > 

Disable all disk file reads and wrftes while connected to the lntemet<br> 



<INPUT TYPE-Txjtton" VALUE-'RESET PAGP 

onCfck«"modrfyj«stritf^ 

</FORM> 



FIG. 3 
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<SCRIPT> 

function nx>dify_restrictions(theform) 
{ x - new MakeArray(1 0): 



x[1]- 
x[2]- 
x[3]- 
x[4J- 
x[5]- 
x[6]- 
x[7]- 
x[8]- 
x[9] = 
x[10] 



thisform.bl .checked) ? "1" : "0* 
thisform.b2.checked) ? "1" : "0" 
thisform.b3.checked) ? "V : "0" 
thisform.b4.checked) ? "1" : "0" 
thisform.b5.checked) ? "1" : "0* 
thisform.b6.checked) ? "1" : w 0' 
thisform.b7.checked) ? "1" : H 0' 
thisform.b8.checked) ? "V : H 0' 
thisfoimb9.checked) ? H 1" : -0' 
( thisform.bl O.checked) ? "1" : M 0"; 



IV 



for ( var i « 1 ; i < 1 1 ; 
iv « iv + x(i]; 



} 

</SCRIPT> 
<FORM> 



document.cookie 
history.go(O); 



iv; 



FIG. 4 
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METHOD AND SYSTEM FOR RESPONDING 
TO HIDDEN DATA AND PROGRAMS IN A 
DATASTREAM 

FIELD OF THE INVENTION 

This invention relates to detecting hidden data in a 
datastream, and, more particularly, to detecting hidden data 
in a datastream communicated over an open network. 

BACKGROUND OF THE INVENTION 

Open networks, such as the Internet, are well known. 
Open networks permit a large number of computers and 
networks to be coupled to one another without requiring the 
application programs which communicate over the network 
to implement communication protocols. Instead, each com- 
puter includes a hardware component which forwards data 
messages received from one computer to the next computer. 
The data message is also examined to determine if the 
communication is for the particular computer forwarding the 
message. If it is, the data message is processed by a 
communication stack and provided to an application pro- 
gram on the computer. In this manner, a data communication 
is continuously passed along the network until it reaches a 
destination computer defined in the message. Scattered 
throughout this open network are a number of computers 
known as routers. Routers include tables of addresses for 
servers which couple other subnetworks to the open net- 
work. The routers use these tables to facilitate the forward- 
ing of data messages to a server which couples the computer 
at the destination address in the data message to the open 
network. 

The communication stack which processes data messages 
for a computer is a group of programs that correspond to 
communication layers which are executed sequentially in a 
manner which visually resemble a stack. On the Internet, the 
communication stack implements a Transport Control 
Protocol/Internet Protocol (TCP/IP). The implementation of 
this protocol is usually perceived to include at least three 
layers of processing. The first layer is a data link layer which 
maps an address from the hardware component to an Inter- 
net address for messages inbound to the computer and maps 
an Internet address to a hardware address for outbound 
messages. The next layer in the stack is the network layer 
which verifies that the network protocol parameters for the 
data communication are correct. Finally, the transport layer 
verifies that the datastream portion of the communication 
has been properly delivered and makes the datastream 
available for an application program. Datastream as used 
herein refers to the data segment used or generated by an 
application program and any header and trailer required for 
its communication. The communication stack allows appli- 
cation programs to communicate datastreams between one 
another without requiring the application programs to imple- 
ment the transport, network, data link and hardware param- 
eters necessary to communicate information from an appli- 
cation on one computer to an application on another 
computer. 

A popular datastream protocol over the Internet is the 
Hypertext Transport protocol (HTTP). This protocol is used 
to transfer and display information, usually in a graphic 
format, from one computer to another. The files containing 
the information to be displayed are usually written in the 
Hypertext Markup Language (HTML). The HTML language 
includes commands which are executed by a program at the . 
receiving computer. The files also include identifiers for files 
which include information to be displayed. These file iden- 
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tifiers are typically known as Universal Resource Locators 
(URL). The program at the receiving computer which dis- 
plays information received from another computer in an 
HTML file or which returns user information to the program 
5 which sent the HTML file is commonly known as a browser. 
These browsers are typically referred to as client programs 
and the computers sending HTML files and the files corre- 
sponding to URLs within the HTML files are known as 
servers. The portion of the Internet which communicates in 
10 the HTTP protocol is usually referred to as the World Wide 
Web (WWW). 

In a response to a request for a page sent by a browser, a 
server sends multiple HTML files which comprise the page 
in messages implemented in the HTTP protocol. When the 
15 HTML file or files are received by the computer executing 
the browser, each communication stack layer performs its 
function until a datastream containing an HTTP header and 
corresponding data segment is presented to the browser. One 
portion of the browser verifies that the information and the 
20 HTTP header have been accurately delivered to the appli- 
cation program. The browser then displays the data deliv- 
ered in the HTML files received from the server. Because the 
TCP/IP protocol used for the Internet is a packet commu- 
nication protocol, several messages are probably required 
25 before a complete file is available for display. Besides 
graphical data, the HTML file also contains data and/or 
commands which may not be displayed at the browser. This 
"hidden" data and/or commands may be used to cause the 
computer executing the browser to store information or 
30 execute programs without the user's knowledge of the 
existence or purpose of the information or program. 

One known data field which may be included in the HTTP 
header of an HTML file is a "cookie" data field. A cookie is 
an HTTP protocol header document element which may be 
35 used to provide multiple data elements to the browser. In 
response to receiving an HTML file with a cookie, the 
browser may store the cookie data elements in a "cooki- 
es.txt" file which is usually kept in the root directory for the 
browser. Once cookie data are sent to the browser computer, 
40 the server expects the cookie data to be returned in the HTTP 
header of subsequent messages sent from the browser to the 
server. The inclusion of the cookie data in the HTTP header 
of messages from the browser is done without the user's 
awareness. In this manner, the operator of the server may 
45 identify repeat visitors to the server site. Other known 
methods of passing cookie data to a client program include 
using a Javascript data object or a Javascript program that 
accesses the "cookies.txr" file stored at the client computer. 
While the storage of a cookie file may appear harmless, it is 
50 nevertheless the unauthorized storage of data on another's 
computer and the file may be used for tracking the user and 
his or her requests for information from the server site 
without the user's knowledge or permission. 

Some known programs may be used to scan HTTP 
55 headers of HTML files and requests before the files are 
processed by a user's browser or the request from a browser 
is sent to the communication stack for transmission. These 
programs may be used to detect cookie data in incoming files 
and outgoing requests. These programs allow a user to 
60 activate a function which notifies the user of cookie data in 
HTTP headers of incoming HTML files. The user may also 
activate a function of the program to delete the cookie data 
from the HTTP header of incoming file so it is not passed to 
the browser program and stored in the cache memory for the 
65 browser. If the cookie data is stored in the cache memory for 
thcbrowser, the browser incorporates the cookie data in the 
HTTP header of outgoing HTML GET or PUT requests from 
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the browser. These previously known pro gram s may be used from another computer and which notifies the user of the 

to notify the user of cookie data in the HTTP headers of the interpretative language program or cookie command so the 

outgoing requests and to delete the cookie data from the user may be aware that the server is sending interpretive 

HTTP headers independently of notification of cookie data programs or cookie commands. What is needed is a program 

for incoming files. These programs are separate from a 5 wn i c h notifies the user of detected interpretive programs and 

user^s browser and thus, may be advantageously added to a ^otee commands without modifying the browser program, 

user s system without modifying the executable code for What is needed is a way to restrict access to resources or data 

implementing the browser program. While these previously 0fl a uter when thc CQ ^ ^ m rommunicatioil ^ 

known programs may be used to selectively notify a user of another computer, 
the presence of cookie data in an HTTP header or to delete 10 

cookie data from an HTTP header, these programs do not SUMMARY OF THE INVENTION 
detect other hidden data which a user may want to know is 

being passed to the user's browser or want to delete from an Tne above limitations of previously known cookie detect - 
HTML file or request. m g programs are overcome by a system and method made 
Recently, powerful interpretive languages have been 15 m acct >rdance with the principles of the present invention, 
developed which may be executed in a browser. Known ne system of the present invention includes an interceptor 
interpretive languages are JAVA developed by Sun for intercepting a datastream before the datastream is 
Microsystems, Javascript developed by Netscape Commu- received by an application program, a scanner for scanning 
nications Corporation, and Visual Basic Script developed by me intercepted datastream to detect a trigger event in the 
Microsoft Corporation. Because each one of these languages 20 intercepted datastream, and an event response generator for 
are interpreted, a program written in one of these languages generating a response to the detected trigger event in cor- 
does not need to be compiled with prior knowledge of the respondence with event configuration data. Preferably, the 
computer on which it will execute. Instead, the interpreter detected trigger event is displayed with an action menu to 
executes within the application space for the application facilitate the user's consideration of appropriate responsive 
program, such as the browser, and this interpreter executes ^ actions . For example, in response to a display of a detected 
statements received in a file containing the interpretative program command, a user may activate an action in the 
language statements. Files containing interpretive language action menu to delete, disable or enable the detected pro- 
statements are known as applets. While applets have a S ram command. In another example, a user may specify an 
number of beneficial purposes, they may also cause prob- action wmcn modifies or deletes a cookie file contained in a 
lems. For example, a JAVA applet may be imbedded in an 30 datastream. 

HTML file, sent to a user's computer and executed by an In a preferred embodiment of the present invention, the 
interpreter in the browser without the user's knowledge. interceptor is a program which overloads a portion of the 
Such programs may be used to gain unauthorized access to socket program that communicates directly with the trans- 
resources or data on the user's computer. Additionally, these port layer. Thus, the interceptor can receive a datastream 
interpretive language programs may include cookie com- 35 from the transport layer prior to its delivery to an application 
mands that identify tracking data as discussed above. These program and can receive a datastream to be sent to another 
cookie commands are part of the data segment of a datas- computer before it is received by the transport layer for 
tream for a browser and not part of the HTTP header. As a transmission to the other computer. Alternatively, the inter- 
result, these cookie commands are not detected by the ceptor may execute in the application space with an appli- 
programs that may be used to detect and delete cookie data 40 cation program, usually a browser, and intercept datastreams 
from HTTP headers. to and from the application program before they are pro- 
To address the need to detect interpretive language pro- cessed by the application program or sent to the transport 
grams and cookie commands data segments of datastreams, laver > respectively. 

some known browsers have been modified to include a Preferably, the scanner of the present system detects fields 
function which a user may activate to prevent the execution 45 in datastream headers, embedded identifiers, embedded 
of interpretive language programs and cookie commands. commands and unidentified file requests in datastreams. The 
Typically, the browser is modified so the portion of the embedded identifiers and embedded commands are usually 
browser program that passes an interpretive language pro- detected in incoming datastreams to the application pro- 
gram or cookie command to an interpreter for execution, gram. The unidentified file requests are usually contained 
checks a switch which may be set by a user, to determine 50 within outgoing datastreams. These unidentified file requests 
whether passing programs and commands to the interpreter are preferably detected by comparing the addresses of the 
is enabled. While these modified browsers disable the execu- requested files or URLs to verify they are coming from the 
tion of interpretive programs and cookie commands, they do server site currently in communication with the user's 
not notify a user that an interpretive program or cookie computer. If the requested file or URL is not stored at the 
command was detected. Thus, users are unaware of those 55 server site, the system of the present invention determines 
server sites that attempt to send interpretive programs and whether the user has authorized receipt of files from server 
cookie commands to the user's browser and, as a result, the sites other than the one with which the user's system is 
user may deactivate the interpretive program and cookie currently communicating. If such receipt has not been 
command disabling function of the browser. Thereafter, the authorized, the file is not passed to the application program 
user may request an HTML file from a server previously so for viewing and an alert is provided to the user that the server 
visited and receive an interpretive program or cookie com- attempted to send a file or files from another server, 
mand that now executes on the user's computer. If the user Preferably, the action menu presented by the event 
had known the server site was sending interpretive programs response generator provides a user with options to (1) 
or cookie commands, the user may have chosen not to generate an electronic (E-mail) message to the system 
request files from the server. 65 administrator who operates the server site which caused the 
What is needed is a program which detects programs or trigger event, (2) terminate the communication session with 
cookie commands embedded within a datastream received the server site which caused the trigger event, or (3) modify 
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configuratioa data corresponding to the server site which is with the user's computer. If the user does not re-enable disk 

used to process detected trigger events. Configuration data I/O during the communication session with another 

are a user's identification of the types of actions the inven- computer, files stored in RAM during the communication 

tive system performs for the hidden data elements or com- session may be stored to a disk drive after the communica- 

mands detected in datastreams. For example, if a user needs 5 ti on session ^ over ln this way> a user may view the data 

to allow the downloading of applet files and the commands stored m ram to leam whcthcr a computer has attempted to 

to execute them id order to view a desired resource from a pass hiddcn data Qr ams to mc beforc 

server site then the user may permit such program down- storing fiks rcccived ffom co tcr 

loading and command executions. The event response gen- , L _ . , . 

erator also generates and stores a log of each trigger event. 10 In . anot ^ P r f ferr ^ d a ?«*°l** mveDtl0D ' 3 

The log records for the trigger events preferably include the 10 SpeCia ^ defined ? okie data field » us ? d to communicate 

time of the trigger event, identification of the source of the an a , cUon ma P °! configuration data between a program 

trigger event, the type of trigger event, and aoy file which implemen ^ the present invention and the applicauon 

may have been received as a result of the trigger event. Hie ^F™' ™f °° ol ? e data field in / ludes actl0n ma P data 

user may view this event log to ascertain what various server which 15 ^ d to define the actlons for ™™ us tagger events 

sites are providing in datastreams to an application program P rocessed ^ *e ^ventive system When an application 

which otherwise would be undetected. program ^ accesses a **™ T Slte throu S h **» communi - 

▼ .i j r *u * • x • • , , cation stack, the system and method of the present invention 

In the method of the present invention, an inbound *t. j . . « « *Y , - 

At t ♦ j • * u • a 1- t intercept the datastream sent by the server site and populate 

datastream is intercepted prior to it being delivered to an „ <;> . f fi , . 4 , . J , - # . , , . ..u 

t . ■% . 4 . f u , - a cookie data field m the header of the datastream with a 

application program. The datastream is then scanned for 9n A*f™u i * a v . *u i- 

• • + a j * ■ . . . c 20 default action map value for delivery to the application 

trigger events and processed according to the configuration , i ■ j . « u ■ / L i • 1 j ■ *i_ 

, f & f % fp *u c j * j * program. This cookie data field is preferably inserted in the 

data for the server site. If the configuration data indicates irrrrt u^a„ nf ^ rm^r «i ♦ • • *u a 

tU . . . * u ifi j r i HITP header of the HTML file containing the processed 

that script programs are to be disabled, for example, any A . . _ , r ... . , , . i- 

. . • 4 . j 4 . • .1 . ... datastream before it is provided to the application program, 

script program in the datastream is disabled so it cannot be * i . • *u *• j . 

* j u *u u t, , . . , . . 4 As the user selects options m the action menu, the data 

executed by the browser. The detected trigger events are o« „ i • A c u , . , / £ 

t j j j * , 4 • . . ■ •,. . values in the default action map of the cookie data field are 

then logged and a data envelope containing event indicators a^^a a- i wju *u t *• 

j && 4 . . j * i j i ,i modified accordingly. When the application program pro- 

and an action menu is generated and coupled to the pro- „m m * *l Jl . j . L j * 

* t-u u *1 j- i * L vides a response to the server site, the system and method of 

cessed datastream. The browser program then displays the f , *• ■ * * j , \ L 

i j 4 , /■? * , the present invention intercept the datastream and extract the 

processed datastream, the event indicators and the action ™Ji:«„j a . • *u i • j . ^ u c *t_ 

r ™ i * *■ ■ *i. * modified action map data in the cookie data field of the 

menu. Ine user may select actions in the action menu to ^ -.^ ™ *u ^ * i. , , . 

i j * j # * . • -4- * 4i4- response. If the default action map values have been 

view detected trigger events or initiate control actions. For j * ac „ a .-a. 

, &6 i • i_ i j • a 1 modified, they are used to modify event configuration data 

example, a user may view a disabled script program and *u ♦ j « *L * • * , i_ a ™_ 

i , / . %t. mat defines the trigger events to be processed. The action 

conclude its execution is acceptable to the user. The user , . ^ a „ . j 

j-r 4i_ c j * * ii • , ma P and event configuration data are stored with an lden- 

may then modify the configuration data to allow script „ 7 u^ K ^ * * >u 

J . ■ i ,i ,i i A . * tiner which corresponds to an address for the server site, 

program execution and then cause the browser to request toe 35 » data k ^ 4 d to ^ and detect tei events „ 

page from the server again. Upon receipt of the requested subse t cornmunicatioDS ^ ^ server & ^ action 

page, the system of the present invention does not disable 2... c ,u. .u a a . . u f 

fi_ • . 1 •<! . ■ ,« j map data is deleted from the outbound datastream before it 

the script program and it will execute when the datastream • „,„,„• j„j ,„ ,l„ „ • ... . . f . ... 

*, f ,f . is provided to the communication stack for transmission to 

is passed to the browser. . , . . . . 

r . . ., , , . . . . „ . the server site. Thus, any subsequent communication with a 

Another action available to a user is to obtain information 40 server site causes the s tem t0 first dctcrrninc whether 

about the server site which sent the detected trigger events. corresponding co^e action map data has been denned for 

Preferab y irformationregaiding the server site is obtained ^ selver ri|e ^ if „ h ^ me values ^ the cookie 

by establishing an HTTP session^ although a Telnet session action map data for the datastream _ ff no ^ 

may be used, wnh Intemic, the Internet domain name spon ding configuration data are found for a serversite when 

regjstrauon service, to rc^eve information regardmg the 45 an incoming datastream is received, default action map and 

Web site owner using the WHOIS service query. The 6vent configuralion data are l0 process me incoming 

retneved information includes the computer system admin- datasu - canl . i n m i s manner, the system and method of the 

istrator s name and electronic mail address. Alternatively, t invention ma communicate ^^0x1 data with 

mforrnauon about the Web site may be obtained directly ^ application m a manner that is transparent to the 

uom tne wet site using a MNU* query. Unce this type ot so computers with which the application program is commu- 

information about the server site has been obtained, the user nicati over thc nctwork 

may use the action menu to send an E-mail message to the , , , 

identified company and/or administrator of the server site. . and 0t u her benefits and rivufogts of the present 

Alternatively, the user may decide to abort the current inVCDtl0 u n ^ ascertained from the general description 

application session with the server site or modify the con- 55 glVeD ab ° Ve and the detaUed descri P tl0D S iven below - 

figuration data for the server site so subsequent files con- BRIEF DESCRIPTION OF THE DRAWINGS 
taming trigger events are not disabled. After the user selects 

an appropriate action, the action is executed. The method The accompanying drawings, which are incorporated and 

then returns to await the interception of the next datastream, constitute a part of the specification, illustrate preferred and 

In another aspect of the present invention, input/output 60 aite rnative embodiments of the present invention and, 

(I/O) operations to the disk drives of the computer system together with a general description given above and the 

may be disabled whenever the computer initiates commu- detailed description of the embodiments given below, serve 

nication with another computer over a network. In this t0 exp^ the principles of the present invention, 

embodiment, RAM memory is used to store data received FIG. 1 is a block diagram of a system incorporating the 

over a network from the other computer. The user may 65 principles of the present invention; 

re-enable disk I/O operations by modifying configuration FIG. 2 is a block diagram of HTML file processing 

data corresponding to the computer which is communicating performed in a preferred aspect of the present invention; 
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FIG. 3 is an exemplary HTML <FORM> used to accept intercepts and processes datastreams from the application 

user input to modify action map data for processing trigger program before determining whether to provide them to the 

events; communication program. 

FIG. 4 is an exemplary Javascript program used to modify For datastreams generated by the application program, 

the action map in accordance with the user input received 5 interceptor 30 intercepts the outbound datastream and scan- 

from the HTML <FORM> shown in FIG. 3; ner 32 8458118 ±e out bourid datastream for outbound trigger 

*-fl u** f a j e • events. Preferably, this is done by scanning the re turned 

FIG 5 is a flowchart of a preferred method of processing datastream for special UmVersal r/^^ 

inbound datastreams performed by the system shown in HTTP headers, and FORM data within the HTTP protocol. 

FIG. 1; and ^ While the preferred embodiment of the present invention 

FIG. 6 is a flowchart of a preferred process of processing scans these preferred elements in the HTTP protocol, other 

outbound datastreams performed by the system shown in elements in other communication protocols may be scanned 

FIG. 1. without departing from the principles of the present inven- 
tion. Preferably, event response generator 34 performs any 

DETAILED DESCRIPTION OF THE actions for detected trigger events in accordance with the 

INVENTION 15 action map data returned in the outbound datastream and the 

c ,„, fl „ ia ■ crr^ 1 * i j * . . event configuration data in configuration file 38 is modified 

System 10, as shown m FIG. 1, includes an interceptor 30 . ,„ *V. iU t , & . . „ A 

u ■ ■ \a. . r . i to comply with the returned action map data. Event response 

for receiving datastreams either from communication stack a f or ^ 34 ^ feraM delete / the action P data 

12 before they are processed by the application program or from tQe outbound message and stores it witn me % veilt 
from the application program before they are encapsulated 20 configuration data in configuration file 38. 
by communication stack 12. Scanner 32 scans the data Pre ferably, system 10 is a program implemented in the C 
elements of a datastream to detect trigger events within the computer programming language and operates on a personal 
datastream. Datastreams which do not contain trigger events computer (PC) or the like. At a minimum, the computer 
are, preferably, passed by scanner 32 to event response executing system 10 should have an Intel 80486 processor or 
generator 34 which includes an action menu with the datas- 25 equivalent, 16 MB of RAM, 500 MB of hard disk space, a 
tream before providing the processed datastream to the VGA monitor, keyboard and a mouse. Preferably, the pro- 
application program. Event response generator 34 disables gram implementing system 10 operates on a computer using 
detected trigger events in accordance with configuration data a Windows operating environment. For 16 bit processors, 
from configuration file 38. Preferably, event response gen- the program preferably operates in the Windows 3.1 or 
erator 34 includes in the header of the processed datastream, 30 Windows for Work Groups 3.11 environments and is pref- 
the action map data from the configuration data used to erably compatible to operate in the process space of a sixteen 
process the trigger events. Event response generator 34 also (16) bit WINSOCK program or as a plug-in application to 
generates event indicators for the detected trigger events and the Netscape Navigator 3.0 browser application. For 32 bit 
includes an action menu, as noted above, for display by the processors, the program implementing system 10 preferably 
application program. The event indicators and action menu 35 operates in the Windows 95 or NT environments and pref- 
are coupled to the processed datastream which is passed to erably operates in the process space of a thirty-two (32) bit 
the application program. Preferably, the event indicators and WINSOCK or as a plug-in application with the Netscape 
action menu are HTML data and HTTP header data for an Navigator 3.0 browser or as anActive-X control program for 
HTML file which is coupled to the processed HTTP datas- the Microsoft Explorer 3.0 browser, 
tream. Preferably, the action menu is implemented by a 40 At activation of system 10, event response generator 34 
Javascript program or command which is preferably generates an action menu which is sent to the application 
included in the HTML file coupled to one end of the program. The application program displays the action menu 
processed datastream. and so the user may make selections which configure the 
System 10 may execute in the process space of an system. Preferably, the action menu is comprised of HTML 
application program, such as a browser, or the process space 45 controls which invoke Javascript commands to modify 
of a communication program, such as a WINSOCK pro- action map configuration data for a specified server site, 
gram. A browser typically communicates datastreams with Preferably, the action map configuration data are a string of 
servers using the HTTP protocol over an open network such digits which compose a data map where each digit defines a 
as the Internet. A communication program establishes a control action. This preferred form of action map data is then 
communication session between the application program 50 preferably transferred from the application program to sys- 
and communication stack 12. The communication program tern 10 in a specially defined cookie data field of the HTTP 
communicates with communication stack 12 so system 10 is header for the HTML file returned to system 10. 
coupled to a network. As explained above, communication If the user chooses to configure the system, the user uses 
stack 12 includes transport layer 18, network layer 20, data the action menu to identify the server site which corresponds 
link layer 22, and hardware component 26. When system 10 55 to the action map data configured by the user. Preferably, the 
executes in the process space of a communication program, server site is identified by its domain name. The action map 
it overloads a portion of the communication socket program data is used by the event response generator to assign values 
to "hook** or intercept datastreams being communicated to to the event configuration data that define the trigger events 
and from the application program. A WINSOCK commu- for which event response generator 34 is to perform an 
nication program used in the preferred embodiment of the 60 action. The server site identification, the action map data and 
present invention is the WINSOCK COMPONENT ARCHI- the event configuration data are stored in configuration data 
TECTURE program available from Stardust Technologies, file 38. Thus, event response generator 34 locates the domain 
Inc. of Campbell, Calif. When system 10 executes in the address of a server site in an incoming message and searches 
process space of the application program, it intercepts and configuration data file 38 for a corresponding server site 
processes datastreams from the communication program, 65 identifier. The action map data and event configuration data 
such as a WINSOCK program, before determining whether are then used to process trigger events detected by scanner 
to provide them to the application program. Likewise, it 32. 
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Preferably, the action map data includes a ten digit field 
which identifies ten actions a user may specify for restricting 
access to a user's computer. The preferred action map data 
is defined as: 



1,224 

10 

fourth digit of the preferred action map data defines whether 
a server can request data from another site for display by a 
user's browser. In response to this digit having a value of *0', 
event response generator 34 deletes all HTML "<IMG 



MAP DATA 



DIGIT POSITION 


ACTION 


VALUES 


1 


temporary storage 


'0' - no temporary storage of displayed data 
'1' = temporary storage of displayed data 


2 


disk storage 


'0* b no disk storage of server data 
'1* - atlow disk storage of server data 


3 


hidden data return 


'0' = no return of server hidden data 
'1* - allow return of server hidden data 


4 


relayed server data 


'0' » no relayed server data displayed 
'1* = relayed server data displayed 


5 


storage of relayed server data 


'0' - no relayed server data stored 
'1' = relayed server data stored 


6 


server programs in display window 


'0' = no program execution in display window 
'V » program execution in display window 


7 


server programs on user's computer 


*0* ** no program execution on user's computer 
'1' - program execution on user's computer 


8 


e-mail user information 


'0' = no browser or e-mail user data to server 

'1' = browser or e-mail user data to server allowed 


9 


page updates 


4 0* - no page updates 

T = page updates allowed 


10 


disk access 


4 0* - disk access disabled 
'I' = disk access allowed 



In the preferred implementation, the most significant digit 
in the preferred 10 digit action map data defines whether 30 
hidden data from a server site is displayed in the browser. In 
response to this digit having a value of '0', event response 
generator 34 deletes cookie values in an HTTP header or in 
embedded script "document.cookie" commands of a datas- 
tream received from the server site, sets the cache value in 35 
the HTTP header so data is not stored in the cache of the 
user's computer, and deletes at browser initiation or termi- 
nation cookie data in the "cookies.txt" file which were 
received from unauthorized servers. In response to this digit 
having a value '1', event response generator 34 deletes the 40 
expiration dates for cookie data in HTTP header so the 
cookie values from the server site may be received, sets the 
cache value in the HTTP header so data is not stored in the 
cache of the user's computer, and deletes at browser initia- 
tion or termination cookie data in the "cookies.txt" file 45 
which were received from unauthorized servers. The second 
digit of the preferred action map data defines whether data 
from a server is stored on the user's disk drive. In response 
to this digit having a value of *0', event response generator 
34 deletes cookie values in an HTTP header for a datastream 50 
received from the server site, sets the cache value in the 
HTTP header so data is not stored in the cache of the user's 
computer, and deletes at browser initiation or termination 
cookie data in the "cookies.txt" file which were received 
from unauthorized servers. In response to this digit having 55 
a value *V, event response generator 34 allows cookie 
values with valid expiration dates to be stored in the "cooki- 
es.txt" file and datastrearas from a server may be stored in 
the cache of the user's computer and on the user's disk drive. 
The third digit of the preferred action map data defines 60 
whether data from a server stored on a user's disk drive may 
be returned to the server. In response to this digit having a 
value of *0', event response generator 34 deletes all cookie 
values in an HTTP header for outgoing datastreams to the 
server site. In response to this digit having a value '1% event 65 
response generator 34 allows cookie values to be returned to 
the server site which sent them in a previous datastream. The 



src-'URLV statements where the URL identifies a server 
other than the one with which communication is active. In 
response to this digit having a value '1', event response 
generator 34 allows GET requests for URLs from other 
server sites to be sent to the user's computer for display. The 
fifth digit of the preferred action map data defines whether 
a server can request data from another site be sent to the 
user's browser for storage. In response to this digit having 
a value of '0', event response generator 34 deletes all HTML 
"Set Cookie" statements where the URL in the datastream 
identifies a server other than the one with which communi- 
cation is active and no cache storage is allowed for datas- 
treams having a server address different from the one with 
which communication is currently active. In response to this 
digit having a value *1', event response generator 34 allows 
cookies from other server sites to be stored on the user's 
computer. 

Continuing with the description of the preferred 
implementation, the sixth digit in the preferred 10 digit 
action map data defines whether programs from a server 
may be executed in the display of a user's browser. In 
response to this digit having a value of *0', event response 
generator 34 disables HTML SCRIPT and APPLET tags as 
well as Javascript "document. applet" commands. In 
response to this digit having a value '1', event response 
generator 34 allows HTML SCRIPT and APPLET tags as 
well as Javascript applets to execute in the display of a user's 
browser. The seventh digit of the preferred action map data 
defines whether programs from a server may execute on a 
user's computer. In response to this digit having a value of 
'0', event response generator 34 disables HTML OBJECT 
and EMBED tags as well as Javascript "document. embed" 
commands. In response to this digit having a value '1', event 
response generator 34 allows HTML OBJECT and EMBED 
tags as well as Javascript embedded commands to execute 
on the user's computer. The eighth digit of the preferred 
action map data defines whether browser and e-mail user 
information data may be sent to a server. In response to this 
digit having a value of '0', event response generator 34 



35 



40 



45 



50 



55 
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deletes "User-Agent" and "From:" fields from HTTP head- 
ers of outbound datastreams. In response to this digit having 
a value '1% event response generator 34 allows HTTP 
headers having "User- Agent*' and "From:" fields to be 
transmitted in outbound datastreams. The ninth digit of the 5 
preferred action map data defines whether page updates 
from a server may be received by a user's browser. In 
response to this digit having a value of *0\ event response 
generator 34 deletes all "Connection:keep-alive" and 
"refresh" statements from HTTP headers in inbound datas- 10 
treams. In response to this digit having a value 1 T, event 
response generator 34 allows w Connection:keep-alive" and 
"refresh" statements to remain in HTTP headers in inbound 
datastreams so they are processed by a user's browser. The 
tenth digit of the preferred action map data defines whether 15 
disk I/O is active during network communication. In 
response to this digit having a value of '0', event response 
generator 34 allows disk I/O to remain active during an 
active TCP/IP socket connection. In response to this digit 
having a value * \\ event response generator 34 disables disk 20 
I/O whenever a TCP/IP socket connection is active. 
Although these are the preferred actions and their preferred 
implementations in the present invention, other actions and 
implementations may be used without departing from the 
principles of the present invention. 25 

As noted in the discussion of the actions in the preferred 
action menu, some actions pertain to more than one type of 
trigger event. Preferably, the trigger events and the corre- 
sponding response for each event are maintained in event 
configuration data. Preferably, the event configuration data 30 
are defined as: 



,224 
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actions to the trigger events for which scanner 32 scans. In 
the preferred implementation, the most significant digit in 
the preferred 12 digit map data defines whether cookie 
values in an HTTP header for a data message received from 
another computer are modified or stored in a "cookies.txt" 
file. As shown in the table, a zero value for the digit indicates 
that no modifications are made to cookie values in the 
header, a "1" value for the digit indicates that a user may 
modify the value before it is returned to the computer which 
sent the message with the cookie data in the header, and the 
value "2" causes the file ("cookies.txt") in which cookie data 
are normally stored to be deleted upon initiation of the 
application program or upon termination of the application 
program. For the second map data digit, the value zero 
permits refresh files to be received and displayed by the 
application program and the value 'T* deletes refresh file 
requests from outbound datastreams. Refresh files are typi- 
cally HTML files sent by a server to update an area within 
a previously transmitted page. The third map data digit 
determines whether repeat images from the server are dis- 
played by the application program. A value of zero permits 
the repeat data files to be received and displayed, a value of 
"1" preferably causes the TCP/IP socket to close after a Web 
page has been downloaded so repeat data files are not 
received. The fourth map digit defines whether MIME 
encoded files are decoded and displayed by the application 
program. A value of zero permits all MIME encoded files to 
be decoded and used by the application file, a value of "1" 
permits those MIME files containing text and image data 
only to be received and decoded by the application program, 
and the value "2" permits those MIME files containing text 
only to be received and decoded. The fifth map data digit 



MAP DATA 
DIGIT POSITION RESTRICTION 



VALUES 



2 
3 
4 

5 
6 
7 
8 
9 

r 10 
11 
12 



cookic_mo difications 

refresh, 

keep_alive, 

mime_type, 

script, 

(Java Script or VBS) 
scrip L_oookie, 

script_submit, 

scrip t_embed, 

applet, 

(Java) 

embed, 

(Plug In) 

object; 

(ActiveX) 

Virtual RAM Drive 



'0' - no modifications 

*r = modify name - value statement or 

expiration date for cookie value 

4 2' = delete cookies.txt at start-up/shut down 

4 Q* = allow always 

' r - delete always 

'0' = allow always 

T » delete always 

'0* » allow all 

'1* ~ text and image only 

4 T - text only 

'0' = allow always 

'1* = disable always 

'0' - allow always 

T = disable always 

4 0' - allow always 

4 V ■» disable always 

'0' « allow always 

'V - disable always 

'0' o allow always 

'V - disable always 

'0' «» allow always 

disable always 
'0' - allow always 
'V = disable always 
'0' - disable 
'V - enable 



Thus, the event configuration data defines the actions to either allows or disables execution of script commands 

be performed for each type of trigger event. When event received in a datastream. A value of zero for this digit 

response generator receives an action map from the user's permits the application program to receive and execute 

browser, the event configuration data is modified to conform 65 script commands while a value of "1" causes the scanner to 

to the action map. In this manner, the user need only specify disable script commands. Preferably, script commands are 

actions and the inventive system correlates the specified disabled by placing a comment character before the script 
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command so the detected script command may be displayed 
by the application program for the user. In the preferred 
implementation, detected script commands are in Javascript 
or Visual Basic Script (VBS) languages. The sixth map data 
digit determines whether cookie data in script commands are 5 
permitted. That is, cookie data may be defined in script 
commands to avoid being detected in HTTP headers. If this 
map digit is zero, the script cookie data are received and 
used by the application program. If the map data value is 
"1", detected cookie data in script commands are disabled 10 
and displayed by the application program for the user so the 
user may determine whether receipt of the cookie data in the 
script command is allowed. The seventh digit in the map 
data determines whether a FORM "submit" script command 
will be provided to the application program. A digit value of 15 
zero allows FORM "submit" script commands to be 
received and executed by the application program and the 
value of one causes the scanner to disable the FORM 
"submit" command so it may be displayed for the user by the 
application program without execution. The eighth digit in 20 
the map data determines whether a script program may 
execute a plug-in program using an "embed" command. A 
value of zero permits script programs to execute plug-in 
programs with "embed" commands and a value of "1" 
causes event response generator 34 to disable "embed" 25 
commands for plug-in programs in script programs. 
Preferably, script commands are disabled by either placing 
a comment character in front of the command which invokes 
the program or by inserting a return statement as the first 
statement in the imbedded program function so the body of 30 
the imbedded program function is not executed. The ninth 
digit of the map data determines whether an applet program 
is received and executed. When this digit is a zero, applet 
programs may be received and executed by the application 
program and when this digit is a "1", event response 35 
generator 34 disables the applet program. Again, the pre- 
ferred implementation disables the applet program by either 
placing a comment character before the command invoking 
the program or placing a return statement as the first 
statement in the applet program. The tenth digit in the map 40 
data determines whether imbedded programs for a plug-in 
application are received and executed by the application 
program. A value of zero for this digit permits imbedded 
programs to be received and executed by the plug-in appli- 
cation and a value of "1" disables the imbedded programs 45 
for the plug- in application. Again, the preferred implemen- 
tation disables imbedded programs or plug-in applications in 
the manner discussed with respect to applet programs. The 
eleventh map data digit determines whether data objects are 
passed and used by the application program. The map value 50 
of zero permits data objects to be received and used by the 
application program and a value of "1" disables data objects 
so a detected object may be displayed by the application 
program for the user. The data object is preferably disabled 
by placing a comment character in front of the command 55 
which uses the data object or by detecting the program 
portion component of the data object and disabling it by 
putting a return statement as the first statement in the 
program portion of the object. In the preferred 
implementation, data objects are typically data objects writ- eo 
ten in the Active X language. The twelfth digit of the map 
data determines whether disk I/O is disabled. When the 
value of this digit is at zero, disk I/O is disabled and files and 
data arc written to a RAM area. When this digit is a one, files 
and data may be stored on a disk drive. 65 

In the preferred implementation, the action map data is 
assigned by a "Cookie:iv=map data" statement. The "cook- 
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ie:iv" portion of the statement specially defines the cookie 
data as being generated by system 10 so system 10 can 
distinguish the cookie data used to control system 10 from 
cookie data sent from a server site or the application 
program. A diagramatic depiction of the preferred process- 
ing of an HTML file by system 10 is shown in FIG. 2. As 
shown there, a server sends an HTML file having cookie 
data in the HTTP header (Step A). This file is intercepted by 
system 10 and scanned to detect trigger events in accordance 
with event configuration data stored in configuration file 38 
which corresponds to the server. Scanner 32 determines 
which configuration data to use by extracting the server 
address in the HTTP header and searching configuration file 
38 for an entry which corresponds to this server address. If 
one is located, the information in the corresponding event 
configuration data is used by scanner 32 to detect trigger 
events and action map data are used by event response 
generator 34 to generate appropriate responses for the trig- 
ger events detected by scanner 32. If no corresponding 
configuration data have been stored for the server site, a 
default action map value is used to set default event con- 
figuration data. In the preferred implementation, the default 
action map value is "iv-0000000001", although other values 
may be used. The action map data are stored in the HTTP 
header of the processed datastream (Step B). Event response 
generator 34 also couples an HTML file to one end of the 
datastream, preferably, at the trailing end of the intercepted 
datastream (Step C). A preferred HTML form used to accept 
user input for modification of the preferred action map data 
is shown in FIG. 3. Preferably, other HTML <FORMS> may 
be included in the HTML file to provide the user with event 
indicators and other action options such as server adminis- 
trator inquiries and responsive e-mail generation as dis- 
cussed below. In the preferred HTML <FORM> for the 
preferred action map, the "reset page" option permits a user 
to request the datastream for the downloaded page from the 
server again so it may be processed with the new event 
configuration data before it is delivered and displayed by the 
user's browser. Coupled to the end of the preferred HTML 
file generated by event response generator 34 is a Javascript 
program which performs the actions presented in the action 
menu. A preferred implementation of a Javascript program 
for modifying the action map data is shown in FIG. 4. 

The processed datastream with the specially defined 
cookie field and trailing HTML file is passed to the browser 
for display (Step D, FIG. 2). The HTML forms of the trailing 
HTML file are displayed to reveal event indicators and the 
action menu to the user. The HTML form for the event 
indicators may accept activation by the user to display the 
detected trigger event in the HTML file for the processed 
datastream. For example, if an event detector indicates an 
applet program has been detected, a user may "click" on the 
indicator so the HTML source code for the detected applet 
program is displayed to the user. The displayed program 
contains the comment character or return statement used to 
disable the program. In this manner, a user may view 
detected trigger events and determined whether the detected 
trigger event is acceptable to the user. 

When the application program sends a subsequent GET or 
POST request to the server site, the HTTP header containing 
the "cookiedv" field is used for the message. Event response 
generator 34 reviews the action map data in the "cookie:iv" 
field and modifies the corresponding event configuration 
data. It then performs actions on the outbound message in 
accordance with the modified event configuration data. The 
"cookie: iv" data is extracted and stored in the configuration 
file so it corresponds to the server site address and event 
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configuration data. The "cookie: iv" data is then deleted from 
the HTTP header and the GET or POST request is provided 
to the communication stack for transmission to the server 
site (Step E). The next HTML file received from the server 
is then evaluated in terms of the new configuration data 
stored in configuration file 38 for the server site (Step A). 

In this manner, a user may first request a page from a 
server site and have the HTML file processed by system 10 
before it is delivered to the application program. As a result, 
a user is informed of all detected trigger events. If any of the 
trigger events include programs or commands, the user may 
view those and determine whether the actions performed by 
the program or command are acceptable to the user. If that 
is the case, the user may select the action in an action menu 
which modifies the action map data so subsequent messages 
from the server which contain programs are executed. The 
user may then request the page from the server again and, 
this time, the program is not disabled by event response 
generator 34. Thus, when it is delivered to the application 
program, it will be executed. 

Because trigger events are detected and processed without 
user intervention, system 10 can process an entire page from 
a server and then deliver the processed page to the applica- 
tion program with the detected trigger events disabled. 
Previously known programs that detected or deleted cookie 
data from HTTP headers were unable to detect and disable 
interpretive programs and embedded cookie commands. 
Previously known browsers that disabled interpretive pro- 
grams and embedded cookie commands did not notify the 
user of disabled interpretive programs and embedded cookie 
commands. The system of the present invention provides a 
program which may execute in the application space with a 
browser or overload part of the communication socket 
program to detect and delete cookie data from HTTP headers 
as well as notify a user of interpretive programs and embed- 
ded cookie commands disabled by the system. With the 
system of the present invention, a user may view a complete 
page with the detected trigger events disabled, be notified of 
the detected trigger events and then determine whether 
detected trigger events are acceptable for subsequent datas- 
treams. 

Preferably, the trigger events which are to be disabled 
include trigger events in both incoming and outgoing datas- 
treams. The preferred trigger events detected in incoming 
datastreams may be classified as embedded identifiers, 
embedded commands, and unidentified file requests. 
Examples of each of these types of event triggers are now 
given; however, the reader should understand that the 
present invention is not limited to these examples or to the 
exemplary classifications of event triggers discussed herein. 
Three examples of embedded identifiers are a "Set Cookies" 
string in the HTTP header of a datastream, a Cookie or 
FORM field having a "Name=value" string, and a "type= 
hidden" string in a FORM INPUT field of a datastream 
although other methods or mechanisms for delivery of 
identifier strings may be detected by scanner 32 of system 
10. Other examples of an embedded identifier in an incom- 
ing datastream are a "document.cookie" or "submit( )" string 
in a Javascript programming language statement in a Java- 
script program. 

Examples of embedded commands include any com- 
mands which activate or execute a program or applet. 
Programs which may be activated by an embedded com- 
mand include those written in the JAVA script or Visual 
Basic Script languages. Also, JAVA, applets, Navigator plug 
in applications, and Microsoft Active -X control applications 
are programs that may be activated by embedded com- 
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mands. For example, the HTML tag "APPLET' may be used 
to invoke a JAVA applet, the "EMBED" HTML tag may be 
used to invoke Netscape plug-in of applications, and the 
"SCRIPT' HTML tag may be used to invoke Javascript or 

5 Visual Basic Script programs. Thus, identification of these 
HTML tags in a file received from a server site is a detection 
of a trigger event for an embedded command. Also, Javas- 
cript programs received from a server site are scanned to 
determine if a "document. applets" string or " document .cm- 

1Q beds" string is contained in the Javascript program. These 
two examples of JAVA script language statements are used 
to invoke a JAVA applet or a Netscape plug-in application, 
respectively. Again, these commands which activate pro- 
grams or applets are merely examples of the types of 

15 commands which may be detected by scanner 32 in a scan 
of an HTML file or downloaded program or applet file. 

An example of an unidentified file request in an incoming 
datastream is "IMG SRC«"<URL". This tag may be used in 
an HTML file to automatically down load image files from 

20 a URL other than the original URL. Thus, scanner 32 detects 
the HTML tag which would result in a request for additional 
URLs which have a server address other than one with 
which the user's browser is communicating. 

For outgoing datastreams, scanner 32 verifies that all 

25 requested URLs are URLs which are identified in the HTML 
files far the page being viewed. Another example of a scan 
of an outgoing datastream is a scan of the HTTP header to 
see if the header contains HTTP cookie data. Finally, scan- 
ner 32 may be activated to overwrite information in HTTP 

30 headers such as the User-Agent identifier field, cookie 
expiration date, the cache storage field or an E-mail identi- 
fication address. These events are discussed above with 
respect to the preferred action map data. 

For each type of trigger event, there are preferably, three 

35 types of actions which may be presented in the action menu 
or defined by the configuration data. These action types are 
(1) sending an E-mail message to the system administrator 
for the server site which caused the trigger event, (2) 
termination of the present communication session with the 

40 server site, and (3) modification of the action data for the 
server site to alter the response of system 10 to detected 
trigger events. Each type of trigger event may be individu- 
ally defined and one or more actions identified for presen- 
tation upon occurrence of a trigger event. Preferably, the 

45 event indicators and the actions to be presented to a user 
upon the occurrence of a trigger event are generated by event 
response generator 34. 

The preferred method implemented by system 10 for 
inbound data messages is shown in FIG. 5. The method 

50 begins by intercepting a datastream before it is received by 
the application program in the application space shared with 
system 10 and the event configuration data are retrieved 
from configuration file 38 (block 50). The datastream is 
scanned for trigger events defined by event configuration 

55 data corresponding to the server which sent the datastream 
(block 54). The reader should appreciate that the term 
datastream includes the data components of a data commu- 
nication between computers as well as the header informa- 
tion for the data segment. If the scan of the datastream 

60 indicates a trigger event is present (block 56), the process 
writes the detected trigger events to a log file (Block 60). 
Regardless of whether trigger events were detected or not, 
action map data OTrresponding to the server site which 
generated the inbound datastream is placed in the header of 

65 the HTML file containing the processed datastream (Block 
68). If action map data corresponding to the server site is not 
available, the default value for action map data is used 
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instead. The process then determines whether the action map each detected trigger event (Block 116) until all of the 

data indicate a response should be generated for a detected detected trigger events have been processed. The action map 

trigger event (Block 70). If a response is indicated by the data is then deleted from the header of the response (Block 

action map data, the response is executed (Block 72) and an 118) and the datastream is then sent to the communication 

event indicator for the processed trigger event is included in 5 sta ck for delivery to the server site (Block 120). 

a data envelope (Block 74). For example, if an applet T • * n * ia c *l 

., rv JL ' , v * In operation, a user installs system 10 of the present 

program is detected, the executed response results in the ~ — *■ •*■»•» j -4i. v 

F 7, . . j . J* j , t™,, invention on a computer as it is activated with an application 

applet program being disabled and an HTML statement to m D«fe«wi.. n • * . m 

X r , • • t i , program. Preferably, the installation associates system 10 

display an event indicator is included in the data envelope ^ a ^ browser SQ m w ^ activated whenever 

for display by the apphcauon program. Preferably the data 10 user actiyates ^ browsef when the user acti . 

envelope is the Him file coupled to one end of the yates ^ fe w , es to fa 

datastream as dtscussed above This process .s repeated for datastreams before th are ed b co £ mujA crton 

each protected trigger event (Block 76) until all of the . , A . . . . . , . . , - 

, . . , 7 , ™ stack 12 and intercept incoming datastreams before they are 

detected trigger events have been processed. The process „ j u a. * u ^ JiA 

f 6 . -j- i • r i. processed by the user s browser. These datastreams are 

then generates an action menu providing selections for the i< *L aA . ^ f t • _ . , , , . . . . 

j. * /m i i^o\ j .i. • scanned to detect trigger events and detected trigger events 

detected trigger events (Block 78) and the action menu is „ * a if ~ r a ♦ . a . • 

* i a a ■ 7u a * i /Tit i oa\ t*i_ j i are logged. If a response for a detected trigger event is 

included in the data envelope (Block 80). The data envelope ia^^gTa k„ ~ «« m * *■ a • *u • ♦ ^ 

. ! /,\ . 4 / i j identified by configuration data, the response is generated, 

is then coupled to one end of the datastream (Block 82) and c™«» ;«^-»«»™ Z* ♦ • *u . j j 

. • j , , . it _ , A > . ' Event indicators and an action menu are then generated and 

the action map data used to process the datastream is placed ut\ai ai,, w . ^ tU 

•*uuj*«uj** /m i m. ^ an HTML file containing event indicators and the action 

m the header of the datastream (Block 84). The processed 7n m&mi • n , , . t , A t ™ 4 . , . 

, , , , i j . >C a . K mtnu is coupled to the datastream. The action map data is 

datastream and data envelope coupled to the datasu-eam are ako s , ored ^ ^ header f dalastream ^ evem 

men provioea to tne application program (BiocK 86). indicators and action menu are presented and any action 

The datastream and coupled data envelope are then dis- selected b the user k executed> jf n0 trigger event fe found 

played by the application program and the user may view the m a datastream? an action menu % ^ t0 the datastream 

detected events. A user may then select an action in the 25 for deli t0 the application program so the ^ can 

acuon menu. In the preferred implementation, the actions in modify the action data? tf desired 

the action menu are performed by a script program invoked ™ 4 . ... . . tt _. iL . „ 

from the action menu. The actions available to a user in the ^ * ^ ^ ^ ^ 3 ^1 

preferred implementation include obtaining more informa- ? 1 ? btM ? ^ mformatlon about the L «^ Slt f which 

tion about the server site which sent the detected trigger 30 dchv f rc ^ tbc dat«taun containing the detected trigger 

event or modification of the action map data so a trigger e u vcnts ' 7** information may be used to activate actions in 

event may be used or executed. For example, to obtain more ^ actl0n m ? nT1 Y^ ch send 0r . 0th ? r clectronic 

information about the server site, the user may send a to the administrator. Additionally, the user may 

WHOIS query to the domain name registration authority. mo ^ll a f °f ma P data to acce Pf a detected trigger event 

This query is sent in the preferred embodiment by estab- 35 ^^"^ ^ ^ I™* ^ serversite " 

hshing a HTTP session, or alternaUvely a TELNET com- ^ modlfie , d actlon ma P data 15 stored m the Reader of a 

munications session, for transmission of the query to the datastream for ™ outbound request message. The request 

domain name registration authority. The response to the messa S e . ls intercepted by system 10 and scanned for out- 

query identifies the owner of the server site, its bound ll ^p r & ™ ni f' Additionally, the action map data is 

administrator, company name, and e-mail address. The user 40 T*?L ^ f ^ ^ ^ ^ n ^ ratioo r 

may now activate a selection in the action menu to send the fi u ie \ ^ actlon ma f data is then deleted from the header of 

identified administrator an e-mail regarding the detected the da ^ request before lX 15 dehvered to the communications 

trigger event. In the preferred implementation, a default stack for a transmissl °D t( > the server site, 

message is provided for transmission to the administrator In Wblle . ^ P resent invention has been illustrated by the 

another aspect of the preferred implementation, the user may 45 descri P u on of the preferred and alternative embodiments 

activate a selection in the action menu to send a FINGER and wbile ^ embodiments have been described in consid- 

query to the server site to obtain information regarding the erabIe detai1 ' i{ ^ QOt the intention of the apphcant to restrict 

administrator of the site. This information may also be used or anyway ur nit the scope of the appended claims to such 

to send an e-mail to the administrator regarding the detected detail. Additional advantages and modifications will readily 

trigger event. After viewing the detected trigger event, a user 50 ap P car to those in mc art. For example, other hidden 

may determine that the detected trigger event is acceptable data fields may be identified as trigger events and other 

to the user. In this case, the user selects an action from the actions may be presented and implemented by the system 

action menu which modifies a value in the action map data and metn od of the present invention. The invention's 

so that subsequent transmissions permit the trigger event to broader aspects are therefore not limited to the specific 

be received and used or executed. 55 details, representative apparatus and method, or illustrative 

Processing for outbound datastreams from the application exa mples shown and described. Accordingly, departures 

program is shown in FIG. 6. The process begins by inter- may bc madc from sucb dctails wlthout departing from the 

cepting the outbound datastream before it is delivered to the spint or of applicant's general inventive concepts, 

communications stack (Block 100). The action map data is ^ hat ™ claimed 

extracted from the datastream (Block 102) and used to 60 1- ^ system for respondmg to trigger events detected in a 

modify event configuration data for the corresponding server datastream comprising: 

site (Block 104). The datastream is then scanned for out- m interceptor for intercepting a datastream before the 

bound trigger events using event configuration data (Block datastream is processed by an application program; 

106). If a trigger event is detected (Block 108), the action a scanner for scanning the intercepted datastream and 

map data is used to determine whether a response for a 65 detecting a trigger event in the intercepted datastream; 

detected trigger event is to be generated (Block 112). If there an event response generator for generating a response 

is, the response is generated (Block 114). This continues for having event indicators to said detected trigger event in 
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correspondence with action map data so that said 
detected trigger events may be displayed and said event 
indicators and an action menu are included in a data 
envelope of the scanned datastream for delivery to an 
application program. 

2. The system of claim 1 wherein the interceptor inter- 
cepts the datastream in the application space of the appli- 
cation program for which datastreams are being intercepted. 

3. The system of claim 1, the interceptor including a 
communication socket which executes as a process in a top 
layer of a communication stack, the communication socket 
for providing the intercepted datastream to the scanner prior 
to generation of a signal indicating the datastream is avail- 
able for the application program. 

4. The system of claim 1 wherein the data envelope is an 
HTML file. 

5. The system of claim 4 further comprising: 

a script language program for implementing said action 
menu. 

6. The system of claim 1 wherein the event response 
generator generates a response for a detected trigger event in 
an outbound message in correspondence with a user's modi- 
fication of the action map data. 

7. The system of claim 1 wherein said scanner detects one 
of an embedded identifier, unidentified file request, and an 
embedded command. 

8. The system of claim 1 wherein the embedded command 
is one of an identifier assignment, a hidden command, and 
an execution command. 

9. A method for detecting and responding to trigger events 
in a datastream comprising: 

intercepting a datastream before the datastream is pro- 
cessed by an application program; 

scanning the intercepted datastream and detecting a trig- 
ger event in the intercepted datastream; 

generating a response to said detected trigger event in 
correspondence with configuration data, the response 
including displaying an action menu including one or 
more user selectable options corresponding to actions 
to be executed in response to the detected trigger event; 
and 

generating a log of detected trigger events. 

10. The method of claim 9, said datastream scanning 
further comprising: 

detecting one of an embedded identifier, unidentified file 

request, and an embedded command; and 
notifying the user of the detection. 

11. The method of claim 10 further comprising the step of: 
disabling said detected command. 

12. The method of claim 9, the detected trigger event 
generation further comprising: 

generating an event time, trigger event source identifier, 
trigger event identifier, and a selected action identifier 
for the log of trigger events. 

13. The method of claim 12, the detected trigger event 
generation further comprising: 

generating file identifiers for the log of trigger events, the 
file identifiers identifying files corresponding to the 
detected trigger event. 

14. The method of claim 9 wherein the intercepting step: 
intercepts the datastream at a communication socket level. 

15. The method of claim 9 wherein the intercepting step 
intercepts the datastream in an application process space for 
a browser program. 
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16. The method of claim 9 further comprising: 
generating event indicators for detected trigger events; 

and 

delivering said event indicators to the application program 
in a data envelope. 

17. The method of claim 16 further comprising: 
encapsulating said event indicators and an action menu in 

a data envelope; and 

coupling the data envelope to the datastream for delivery 
to the application program. 

18. The method of claim 17 wherein the encapsulating 
step encapsulates the event indicators and the action menu in 
an HTML file. 

19. A system for responding to trigger events detected in 
a datastream comprising: 

an interceptor for intercepting a datastream before the 
datastream is processed by an application program; 

a scanner for scanning the intercepted datastream and 
detecting a trigger event in the intercepted datastream; 

an event response generator for generating a response to 
said detected trigger event, the response including 
displaying an action menu including one or more user 
selectable options corresponding to actions to be 
executed in response to the detected trigger event. 

20. The system of claim 19 wherein said scanner detects 
one of an embedded identifier, unidentified file request, and 
an embedded command. 

21. The system of claim 20 wherein the embedded iden- 
tifier is a cookie data field in a header of the scanned 
datastream. 

22. The system of claim 20 wherein the unidentified file 
request is one of a user Universal Resource Locator (URL) 
and a URL request in a downloaded file. 

23. The system of claim 20 wherein the embedded com- 
mand is one of an identifier assignment, a hidden command, 
and an execution command. 

24. The system of claim 19, the event response generator 
generating an action menu identifying an electronic mail 
(e-mail) option, an action map modification option, and an 
abort option. 

25. The system of claim 19 wherein the interceptor 
intercepts disk input/output (I/O) utility calls so that disk I/O 
is disabled, the interception of disk I/O being enabled in 
response to initiation of a communication session with a 
communication stack. 

26. The system of claim 19, wherein the event response is 
generated in correspondence with action map data. 

27. The system of claim 19, wherein the interceptor 
intercepts the datastream in the application space of the 
application program. 

28. A system for responding to trigger events detected in 
a datastream comprising: 

an interceptor for intercepting a datastream before the 
datastream is processed by an application program; 

a scanner for scanning the intercepted datastream and 
detecting an identifier selected from the group includ- 
ing a cookie data field in a header of the scanned 
datastream, an unidentified file request, and an embed- 
ded command in the intercepted data stream; 

means for notifying a user of the detected identifier; 

an event response generator for generating a response to 
said detected trigger event, the response including 
displaying an action menu including one or more user 
selectable options corresponding to actions to be 
executed in response to the detected trigger event. 
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29. A system for responding to trigger events detected in 
a datastream comprising: 

an interceptor for intercepting a datastream before the 
datastream is processed by an application program; 

a scanner for scanning the intercepted datastream and 5 
detecting an identifier selected from the group includ- 
ing an embedded identifier, a user Universal Resource 
Locator (URL), a URL request, and an embedded 
command in the intercepted data stream; 

means for notifying a user of the detected identifier; 

an event response generator for generating a response to 
said detected trigger event, the response including 
displaying an action menu including one or more user 
selectable options corresponding to actions to be ^ 
executed in response to the detected trigger event. 

30. A system for responding to trigger events detected in 
a datastream comprising: 

an interceptor for intercepting a datastream before the 
datastream is received by an application program; 20 

a scanner for scanning the intercepted datastream and 
detecting one of a cookie data field in a header of the 
scanned datastream, unidentified file request, and an 
embedded command in the intercepted datastream; 

means for notifying a user of the detected identifier, file 25 
request or embedded command; and 

an event response generator for generating an action menu 
identifying an electronic mail (e-mail) option, an action 
map modification option, and an abort option. 3Q 

31. A system for responding to trigger events detected in 
a datastream comprising: 

an interceptor for intercepting a datastream before the 
datastream is received by an application program and 
for intercepting disk input/output (I/O) utility calls so 35 
that disk I/O is disabled, the interception of disk I/O 
being enabled in response to initiation of a communi- 
cation session with a communication stack; 

a scanner for scanning the intercepted datastream and 
detecting one of a cookie data field in a header of the 40 
scanned datastream, unidentified file request, and an 
embedded command in the intercepted datastream; 

means for notifying a user of the detected identifier, file 
request or embedded command; and 

an event response generator for generating a response to 45 
said detected trigger event in correspondence with 
action map data. 

32. A method for detecting and responding to trigger 
events in a datastream comprising: 

intercepting a datastream before the datastream is 5 ° 
received by an application program; 

scanning the intercepted datastream and detecting a trig- 
ger event in the intercepted datastream; 

generating a response to said detected trigger event in 55 
correspondence with configuration data; and 

presenting an action menu identifying an electronic mail 
(e-mail) option, a configuration data modification 
option, and an abort option. 

33. The method of claim 32 further comprising: 60 
locating an e-mail address corresponding to an originator 

for the detected trigger event; and 
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sending an e-mail message to the located e-mail address 
in response to the e-mail option in the action menu 
being selected. 

34. The method of claim 32 further comprising: 
modifying the detected trigger event in the intercepted 

datastream before the intercepted datastream is pro- 
vided to the application program in response to the 
modification option of the action menu being selected, 

35. The method of claim 32 further comprising: 
generating an abort message for the application program 

in response to the abort option of the action menu being 
selected. 

36. A method for detecting and responding to trigger 
events in a datastream comprising: 

intercepting a datstream before the datstream is received 

by an application program; 
scanning the intercepted datastream and detecting an 

embedded command; 

disabling said detected command; 

notifying a user of the detected command in the inter- 
cepted datastream; and 

generating a response to said detected command in cor- 
respondence with configuration data, the response 
including displaying an action menu including one or 
more user selectable options corresponding to actions 
to be executed in response to the detected trigger event. 

37. The method of claim 36 wherein comment characters 
are placed around said detected command to disable said 
command. 

38. The method of claim 36 wherein a return command is 
placed at a program invoked by said detected command to 
disable said command. 

39. A method for detecting and responding to trigger 
events in a datastream comprising: 

intercepting a datastream before the datastream is 
received by an application program; 

scanning the intercepted datastream and detecting a trig- 
ger event in the intercepted datastream; 

generating a response to said detected trigger event in 
correspondence with configuration data; and 

disabling disk I/O in response to initiation of a commu- 
nication session with a communication stack. 

40. A method for detecting and responding to trigger 
events in a datastream comprising: 

intercepting a datastream before the datastream is 
received by an application program; 

scanning the intercepted datastream and detecting a trig- 
ger event in the intercepted datastream; 

generating a response to said detected trigger event in 
correspondence with configuration data; 

generating event indicators for detected trigger events; 

encapsulating said event indicators and an action menu in 
a cookie data field of an HTTP header for an HTML 
file; 

coupling said HTML file to said datastream; and 
delivering said datastream with said coupled HTML file to 
said application program. 

***** 
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